The vulnerability CVE-2026-32953 affects the tillitis tkeyclient Go module, specifically versions 1.2.0 and earlier. The tkeyclient package is used for cryptographic key derivation involving User Supplied Secrets (USS) to generate a Compound Device Identifier (CDI). The flaw arises from a buffer index error that causes the USS-enabled boolean flag to be overwritten by the first byte of the USS digest. Since the USS digest is a hash, approximately 1 out of every 256 USS values will have a hash starting with 0x00. When this occurs, the boolean flag indicating USS usage is incorrectly set to false, causing the system to ignore the USS silently. Consequently, the CDI and derived key material are identical to those generated without any USS, effectively negating the security benefits of the USS. This undermines the authentication algorithm's integrity and could allow attackers to predict or reuse keys in scenarios relying on USS uniqueness. The vulnerability does not require authentication or user interaction to exploit but depends on the USS chosen. The issue has been addressed in version 1.3.0 of the tkeyclient package. Users unable to upgrade immediately are advised to avoid USS values whose hash begins with 0x00 to mitigate the risk. No public exploits or active attacks have been reported to date.

This vulnerability impacts the confidentiality and integrity of cryptographic operations relying on the tillitis tkeyclient package. By silently ignoring certain USS values, the system may generate identical key material for different users or devices, potentially allowing unauthorized access or key reuse attacks. This could compromise secure communications, authentication, or data protection mechanisms that depend on unique USS-derived keys. The probability of exploitation is low (1 in 256 USS values), but the silent nature of the failure increases the risk of unnoticed security degradation. Organizations using affected versions in critical infrastructure, IoT devices, or secure authentication systems may face increased risk of key collisions or impersonation. However, the vulnerability does not affect availability and requires specific USS conditions, limiting widespread exploitation. The medium CVSS score (4.7) reflects moderate impact with relatively low exploit complexity but significant consequences for confidentiality and integrity if exploited.

The primary mitigation is to upgrade the tillitis tkeyclient package to version 1.3.0 or later, where the buffer index error is fixed. For organizations unable to upgrade immediately, a practical workaround is to ensure that User Supplied Secrets (USS) do not produce a hash starting with 0x00. This can be implemented by pre-hashing candidate USS values and verifying the first byte before acceptance. Rejecting or regenerating USS values with a leading zero byte in their hash prevents the silent discard of USS and maintains key uniqueness. Additionally, organizations should audit existing USS usage to detect potential collisions or reused key material. Implementing monitoring to detect unexpected identical Compound Device Identifiers (CDIs) may help identify exploitation attempts. Finally, integrating secure coding practices and thorough testing for cryptographic modules can prevent similar buffer and flag overwrite errors in the future.